North Korea Experiencing Internet Outages, Raising Questions About US Retaliation

Is it coincidence, or is a DDoS on North Korea’s Internet infrastructure a “proportional response” by the US?

Three days after the US government officially blamed the North Korean government for masterminding the Sony attacks and President Obama promised that the US would “respond proportionally” to them, North Korea is reportedly experiencing widespread Internet outages — prompting the question of whether or not the US has struck back with a cyberattack of its own.

North Korea Tech first reported that the country’s Internet link was “flaky.” It quoted Doug Madory, director of Internet analysis at Dyn Research, as saying: “I haven’t seen such a steady beat of routing instability and outages in KP before. Usually there are isolated blips, not continuous connectivity problems. I wouldn’t be surprised if they are absorbing some sort of attack presently.”

Madory told The New York Times that North Korea’s networks were “under duress,” and that “This is consistent with a DDoS attack on their routers.”

Dmitri Alperovitch, co-founder and CTO of CrowdStrike, disagrees. “I don’t think this is something we can speculate about just yet,” he tells us. He believes that the little we know about the outage right now is more in line with a technical problem. The US has asked the Chinese government for assistance, and if this does turn out to be a DDoS, it’s possible that China could have acted on its own to disrupt the North Korean Internet infrastructure.

Friday, the US officially blamed the North Korean government for the attacks on Sony, but it did not describe the attacks as an act of war. President Obama said Friday, “I don’t think it was an act of war. I think it was an act of cyber vandalism that was very costly, very expensive.”

Alperovitch concurs. Some within the industry still question whether or not the North Korean government is truly to blame, but Alperovitch attributes the attacks to “Silent Chollima,” a North Korean hacking group that CrowdStrike has been following since 2006 and believes to be state-sponsored.

Silent Chollima has previously focused its efforts on South Korean targets, including some US military stations within South Korea. An American entertainment company may be a rather different type of target, but Alperovitch believes that the attackers were indeed motivated to attack Sony in response to The Interview — a comedy about assassinating North Korean leader Kim Jong-Un, which was supposed to hit theaters Christmas Day but has now been canceled.

“The movie is a big motivation,” says Alperovoitch. In North Korean culture, such subject matter would be considered a significant insult. Months ago, the North Korean government declared that The Interview was, itself, an act of war. “I think we should take them at their word.”

After the US officially pointed the finger at Pyongyang, North Korean officials responded harshly. They requested that American and North Korean experts conduct a joint investigation into the Sony attacks, and they warned that there will be “grave consequences” if the US declines that request.

In an official statement, the North Korean National Defense Commission said “Our toughest counteraction will be boldly taken against the White House, the Pentagon and the whole U.S. mainland, the cesspool of terrorism, by far surpassing the ‘symmetric counteraction’ declared by Obama.”

This bears a resemblance to the threats hackers made last week about physical attacks on cinemas that air The Interview. Alperovitch says that North Korea does not have the capabilities to carry out that kind of violence on American soil. “That’s blustering. They’re known to do this.”

US-CERT releases new details about malware
US-CERT issued an alert Friday about targeted destructive malware that appears to be that which was used in the Sony attacks. The alert desecribes the malware as a “Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company.”

The malware toolkit comes with five key components: a listening implant, a lightweight backdoor, a proxy tool, a destructive hard drive tool, and a destructive target cleaning tool. To propogate, the worm uses brute-force attacks to guess authentication credentials for SMB connections. If the worm obtains access, a “file share is established and file is copied and run on the newly-infected hostattack.”

The listening tool listens for connections on ports 195 and 444. US-CERT states “During installation of this tool, a portion of the binaries is decrypted using AES, with a key derived from the phrase ‘National Football League.'”

The backdoor can perform a great number of tasks, including file transfer, system survey, process manipulation, file time matching, proxy capability, arbitrary code execution, and command line execution, as well as functionality to “open ports in a victim host’s firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks.”

The proxy tool listens to TCP port 443 and can “fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files,” according to the alert.

The destructive hard drive tool is the real nasty part, but it’s more dangerous on a machine running with adminstrator privileges than one with usual user privileges. With admin privileges, “the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data… If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.”

US-CERT offered a long list of recommendations for combating these attacks and preparing for business continuity and incident response in the event of such an attack. For example, it advises organizations to perform daily backups, perform periodic “offline” backups to removable media, establish emergency communications plans, disable credential caching, and disable web and email capability on admin accounts.

Will The Interview be seen?
The movie may ultimately be seen in some form. Sony was widely criticized for canceling the release. On Thursday, the Guardians of Peace purportedly gave Sony the OK to release the film, as long as it removed the Kim Jong-Un death scene.

Meanwhile, Anonymous has threatened Sony that it had better release the movie — or else. In a letter to Sony Entertainment CEO Michael Lynton, uploaded to Pastebin on Sunday, representatives of Anonymous expressed their “sympathy,” stated that “we all know the hacks didn’t come from North Korea,” and declared that the “cowardly” decision to cancel the movie release was “denying us the privilege of the Freedom of Information Act.”

The message concluded with a threat: “Release ‘The Interview’ as planned, or we shall carry out as many hacks as we are capable of to both Sony Entertainment, and yourself.”

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency.┬áPrior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad … View Full Bio